diff --git a/backport-CVE-2022-3705.patch b/backport-CVE-2022-3705.patch new file mode 100644 index 0000000000000000000000000000000000000000..b93c74cee47e4ea066b51ba4d740374a2fa47f04 --- /dev/null +++ b/backport-CVE-2022-3705.patch @@ -0,0 +1,72 @@ +From d0fab10ed2a86698937e3c3fed2f10bd9bb5e731 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 20 Oct 2022 16:03:33 +0100 +Subject: [PATCH] patch 9.0.0805: filetype autocmd may cause freed memory + access + +Problem: Filetype autocmd may cause freed memory access. +Solution: Set the quickfix-busy flag while filling the buffer. +--- + src/quickfix.c | 6 ++++++ + src/testdir/test_quickfix.vim | 16 ++++++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/src/quickfix.c b/src/quickfix.c +index a90611475ab1..f85fff56f23d 100644 +--- a/src/quickfix.c ++++ b/src/quickfix.c +@@ -4543,6 +4543,9 @@ qf_update_buffer(qf_info_T *qi, qfline_T *old_last) + qf_winid = win->w_id; + } + ++ // autocommands may cause trouble ++ incr_quickfix_busy(); ++ + if (old_last == NULL) + // set curwin/curbuf to buf and save a few things + aucmd_prepbuf(&aco, buf); +@@ -4564,6 +4567,9 @@ qf_update_buffer(qf_info_T *qi, qfline_T *old_last) + // when the added lines are not visible. + if ((win = qf_find_win(qi)) != NULL && old_line_count < win->w_botline) + redraw_buf_later(buf, NOT_VALID); ++ ++ // always called after incr_quickfix_busy() ++ decr_quickfix_busy(); + } + } + +diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim +index 2ee754b39690..bcaef5da175c 100644 +--- a/src/testdir/test_quickfix.vim ++++ b/src/testdir/test_quickfix.vim +@@ -3471,6 +3471,21 @@ func Test_resize_from_copen() + endtry + endfunc + ++func Test_filetype_autocmd() ++ " this changes the location list while it is in use to fill a buffer ++ lexpr '' ++ lopen ++ augroup FT_loclist ++ au FileType * call setloclist(0, [], 'f') ++ augroup END ++ silent! lolder ++ lexpr '' ++ ++ augroup FT_loclist ++ au! FileType ++ augroup END ++endfunc ++ + func Test_vimgrep_with_textlock() + new + +@@ -6380,4 +6395,5 @@ func Test_loclist_replace_autocmd() + call setloclist(0, [], 'f') + endfunc + ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.33.0 + diff --git a/vim.spec b/vim.spec index d6f0c96eff1dd6e76b5170df0355f1b02e21770f..d0bc0b9e2f93884e6778cbaa40f0f507659b6769 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 9.0 -Release: 19 +Release: 20 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -73,6 +73,7 @@ Patch6042: backport-CVE-2022-3278.patch Patch6043: backport-CVE-2022-3297.patch Patch6044: backport-9.0.0581-adding-a-character-for-incsearch-fails-at-end-of-line.patch Patch6045: backport-CVE-2022-3324.patch +Patch6046: backport-CVE-2022-3705.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -472,6 +473,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Tue Nov 01 2022 wangjiang - 2:9.0-20 +- Type:CVE +- ID:CVE-2022-3705 +- SUG:NA +- DESC:fix CVE-2022-3705 + * Mon Oct 17 2022 dongyuzhen - 2:9.0-19 - Type:CVE - ID:CVE-2022-3278 CVE-2022-3297 CVE-2022-3324